Hay
Date
May 13, 2025, 12:07 p.m.

Environment
qemu-arm64
qemu-x86_64

[   19.545316] ==================================================================
[   19.545414] BUG: KASAN: slab-use-after-free in ksize_uaf+0x168/0x5f8
[   19.545499] Read of size 1 at addr fff00000c4065800 by task kunit_try_catch/196
[   19.545557] 
[   19.545604] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc6-next-20250513 #1 PREEMPT 
[   19.545706] Tainted: [B]=BAD_PAGE, [N]=TEST
[   19.545739] Hardware name: linux,dummy-virt (DT)
[   19.545777] Call trace:
[   19.545817]  show_stack+0x20/0x38 (C)
[   19.545882]  dump_stack_lvl+0x8c/0xd0
[   19.545940]  print_report+0x118/0x608
[   19.546011]  kasan_report+0xdc/0x128
[   19.546065]  __kasan_check_byte+0x54/0x70
[   19.546116]  ksize+0x30/0x88
[   19.546167]  ksize_uaf+0x168/0x5f8
[   19.546215]  kunit_try_run_case+0x170/0x3f0
[   19.546270]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.546328]  kthread+0x328/0x630
[   19.546380]  ret_from_fork+0x10/0x20
[   19.546438] 
[   19.546514] Allocated by task 196:
[   19.546548]  kasan_save_stack+0x3c/0x68
[   19.546601]  kasan_save_track+0x20/0x40
[   19.546643]  kasan_save_alloc_info+0x40/0x58
[   19.546690]  __kasan_kmalloc+0xd4/0xd8
[   19.546731]  __kmalloc_cache_noprof+0x15c/0x3c0
[   19.546778]  ksize_uaf+0xb8/0x5f8
[   19.546817]  kunit_try_run_case+0x170/0x3f0
[   19.546861]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.546908]  kthread+0x328/0x630
[   19.546947]  ret_from_fork+0x10/0x20
[   19.547003] 
[   19.547026] Freed by task 196:
[   19.547059]  kasan_save_stack+0x3c/0x68
[   19.547104]  kasan_save_track+0x20/0x40
[   19.547167]  kasan_save_free_info+0x4c/0x78
[   19.547289]  __kasan_slab_free+0x6c/0x98
[   19.547399]  kfree+0x214/0x3c8
[   19.547454]  ksize_uaf+0x11c/0x5f8
[   19.547511]  kunit_try_run_case+0x170/0x3f0
[   19.547553]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.547602]  kthread+0x328/0x630
[   19.547657]  ret_from_fork+0x10/0x20
[   19.547769] 
[   19.547795] The buggy address belongs to the object at fff00000c4065800
[   19.547795]  which belongs to the cache kmalloc-128 of size 128
[   19.547865] The buggy address is located 0 bytes inside of
[   19.547865]  freed 128-byte region [fff00000c4065800, fff00000c4065880)
[   19.547932] 
[   19.548131] The buggy address belongs to the physical page:
[   19.548170] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104065
[   19.548232] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   19.548287] page_type: f5(slab)
[   19.548338] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   19.548395] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   19.548439] page dumped because: kasan: bad access detected
[   19.548476] 
[   19.548496] Memory state around the buggy address:
[   19.548533]  fff00000c4065700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   19.548583]  fff00000c4065780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.548631] >fff00000c4065800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   19.548672]                    ^
[   19.548705]  fff00000c4065880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.548779]  fff00000c4065900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.548824] ==================================================================
[   19.554056] ==================================================================
[   19.554130] BUG: KASAN: slab-use-after-free in ksize_uaf+0x544/0x5f8
[   19.554196] Read of size 1 at addr fff00000c4065878 by task kunit_try_catch/196
[   19.554252] 
[   19.554290] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc6-next-20250513 #1 PREEMPT 
[   19.554384] Tainted: [B]=BAD_PAGE, [N]=TEST
[   19.554416] Hardware name: linux,dummy-virt (DT)
[   19.554464] Call trace:
[   19.554494]  show_stack+0x20/0x38 (C)
[   19.554551]  dump_stack_lvl+0x8c/0xd0
[   19.554604]  print_report+0x118/0x608
[   19.554688]  kasan_report+0xdc/0x128
[   19.554751]  __asan_report_load1_noabort+0x20/0x30
[   19.554809]  ksize_uaf+0x544/0x5f8
[   19.554855]  kunit_try_run_case+0x170/0x3f0
[   19.554907]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.555042]  kthread+0x328/0x630
[   19.555101]  ret_from_fork+0x10/0x20
[   19.555179] 
[   19.555203] Allocated by task 196:
[   19.555234]  kasan_save_stack+0x3c/0x68
[   19.555281]  kasan_save_track+0x20/0x40
[   19.555325]  kasan_save_alloc_info+0x40/0x58
[   19.555369]  __kasan_kmalloc+0xd4/0xd8
[   19.555410]  __kmalloc_cache_noprof+0x15c/0x3c0
[   19.555454]  ksize_uaf+0xb8/0x5f8
[   19.555492]  kunit_try_run_case+0x170/0x3f0
[   19.555533]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.555581]  kthread+0x328/0x630
[   19.555619]  ret_from_fork+0x10/0x20
[   19.555660] 
[   19.555680] Freed by task 196:
[   19.555711]  kasan_save_stack+0x3c/0x68
[   19.555753]  kasan_save_track+0x20/0x40
[   19.555793]  kasan_save_free_info+0x4c/0x78
[   19.555838]  __kasan_slab_free+0x6c/0x98
[   19.555879]  kfree+0x214/0x3c8
[   19.555916]  ksize_uaf+0x11c/0x5f8
[   19.555954]  kunit_try_run_case+0x170/0x3f0
[   19.556012]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.556062]  kthread+0x328/0x630
[   19.556103]  ret_from_fork+0x10/0x20
[   19.556144] 
[   19.556166] The buggy address belongs to the object at fff00000c4065800
[   19.556166]  which belongs to the cache kmalloc-128 of size 128
[   19.556230] The buggy address is located 120 bytes inside of
[   19.556230]  freed 128-byte region [fff00000c4065800, fff00000c4065880)
[   19.556296] 
[   19.556322] The buggy address belongs to the physical page:
[   19.556355] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104065
[   19.556412] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   19.556463] page_type: f5(slab)
[   19.556547] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   19.556608] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   19.556660] page dumped because: kasan: bad access detected
[   19.556733] 
[   19.556769] Memory state around the buggy address:
[   19.556806]  fff00000c4065700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   19.556907]  fff00000c4065780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.556964] >fff00000c4065800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   19.557044]                                                                 ^
[   19.557103]  fff00000c4065880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.557150]  fff00000c4065900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.557192] ==================================================================
[   19.549914] ==================================================================
[   19.549994] BUG: KASAN: slab-use-after-free in ksize_uaf+0x598/0x5f8
[   19.550062] Read of size 1 at addr fff00000c4065800 by task kunit_try_catch/196
[   19.550119] 
[   19.550162] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc6-next-20250513 #1 PREEMPT 
[   19.550262] Tainted: [B]=BAD_PAGE, [N]=TEST
[   19.550316] Hardware name: linux,dummy-virt (DT)
[   19.550389] Call trace:
[   19.550418]  show_stack+0x20/0x38 (C)
[   19.550524]  dump_stack_lvl+0x8c/0xd0
[   19.550579]  print_report+0x118/0x608
[   19.550633]  kasan_report+0xdc/0x128
[   19.550685]  __asan_report_load1_noabort+0x20/0x30
[   19.550741]  ksize_uaf+0x598/0x5f8
[   19.550790]  kunit_try_run_case+0x170/0x3f0
[   19.550843]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.550900]  kthread+0x328/0x630
[   19.550956]  ret_from_fork+0x10/0x20
[   19.551026] 
[   19.551048] Allocated by task 196:
[   19.551080]  kasan_save_stack+0x3c/0x68
[   19.551129]  kasan_save_track+0x20/0x40
[   19.551171]  kasan_save_alloc_info+0x40/0x58
[   19.551216]  __kasan_kmalloc+0xd4/0xd8
[   19.551257]  __kmalloc_cache_noprof+0x15c/0x3c0
[   19.551328]  ksize_uaf+0xb8/0x5f8
[   19.551374]  kunit_try_run_case+0x170/0x3f0
[   19.551424]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.551471]  kthread+0x328/0x630
[   19.551511]  ret_from_fork+0x10/0x20
[   19.551552] 
[   19.551574] Freed by task 196:
[   19.551606]  kasan_save_stack+0x3c/0x68
[   19.551646]  kasan_save_track+0x20/0x40
[   19.551687]  kasan_save_free_info+0x4c/0x78
[   19.551732]  __kasan_slab_free+0x6c/0x98
[   19.551773]  kfree+0x214/0x3c8
[   19.551839]  ksize_uaf+0x11c/0x5f8
[   19.551881]  kunit_try_run_case+0x170/0x3f0
[   19.551922]  kunit_generic_run_threadfn_adapter+0x88/0x100
[   19.552026]  kthread+0x328/0x630
[   19.552074]  ret_from_fork+0x10/0x20
[   19.552114] 
[   19.552140] The buggy address belongs to the object at fff00000c4065800
[   19.552140]  which belongs to the cache kmalloc-128 of size 128
[   19.552204] The buggy address is located 0 bytes inside of
[   19.552204]  freed 128-byte region [fff00000c4065800, fff00000c4065880)
[   19.552353] 
[   19.552481] The buggy address belongs to the physical page:
[   19.552521] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x104065
[   19.552582] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   19.552646] page_type: f5(slab)
[   19.552736] raw: 0bfffe0000000000 fff00000c0001a00 dead000000000122 0000000000000000
[   19.552797] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   19.552841] page dumped because: kasan: bad access detected
[   19.552876] 
[   19.552897] Memory state around the buggy address:
[   19.552932]  fff00000c4065700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   19.553005]  fff00000c4065780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.553057] >fff00000c4065800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   19.553099]                    ^
[   19.553134]  fff00000c4065880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.553182]  fff00000c4065900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   19.553225] ==================================================================

[   11.612140] ==================================================================
[   11.612491] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5fe/0x6c0
[   11.612890] Read of size 1 at addr ffff8881026a8b00 by task kunit_try_catch/213
[   11.613210] 
[   11.613326] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc6-next-20250513 #1 PREEMPT(voluntary) 
[   11.613373] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.613384] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.613404] Call Trace:
[   11.613425]  <TASK>
[   11.613439]  dump_stack_lvl+0x73/0xb0
[   11.613466]  print_report+0xd1/0x650
[   11.613500]  ? __virt_addr_valid+0x1db/0x2d0
[   11.613522]  ? ksize_uaf+0x5fe/0x6c0
[   11.613585]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.613626]  ? ksize_uaf+0x5fe/0x6c0
[   11.613647]  kasan_report+0x141/0x180
[   11.613670]  ? ksize_uaf+0x5fe/0x6c0
[   11.613706]  __asan_report_load1_noabort+0x18/0x20
[   11.613727]  ksize_uaf+0x5fe/0x6c0
[   11.613748]  ? __pfx_ksize_uaf+0x10/0x10
[   11.613769]  ? __schedule+0x10cc/0x2b60
[   11.613791]  ? __pfx_read_tsc+0x10/0x10
[   11.613810]  ? ktime_get_ts64+0x86/0x230
[   11.613843]  kunit_try_run_case+0x1a5/0x480
[   11.613866]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.613887]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.613920]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.613941]  ? __kthread_parkme+0x82/0x180
[   11.613961]  ? preempt_count_sub+0x50/0x80
[   11.613986]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.614009]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.614031]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.614054]  kthread+0x337/0x6f0
[   11.614082]  ? trace_preempt_on+0x20/0xc0
[   11.614105]  ? __pfx_kthread+0x10/0x10
[   11.614126]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.614156]  ? calculate_sigpending+0x7b/0xa0
[   11.614179]  ? __pfx_kthread+0x10/0x10
[   11.614201]  ret_from_fork+0x116/0x1d0
[   11.614218]  ? __pfx_kthread+0x10/0x10
[   11.614239]  ret_from_fork_asm+0x1a/0x30
[   11.614280]  </TASK>
[   11.614292] 
[   11.621934] Allocated by task 213:
[   11.622069]  kasan_save_stack+0x45/0x70
[   11.622211]  kasan_save_track+0x18/0x40
[   11.622489]  kasan_save_alloc_info+0x3b/0x50
[   11.622717]  __kasan_kmalloc+0xb7/0xc0
[   11.622909]  __kmalloc_cache_noprof+0x189/0x420
[   11.623125]  ksize_uaf+0xaa/0x6c0
[   11.623463]  kunit_try_run_case+0x1a5/0x480
[   11.623781]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.623977]  kthread+0x337/0x6f0
[   11.624175]  ret_from_fork+0x116/0x1d0
[   11.624372]  ret_from_fork_asm+0x1a/0x30
[   11.624622] 
[   11.624740] Freed by task 213:
[   11.624893]  kasan_save_stack+0x45/0x70
[   11.625102]  kasan_save_track+0x18/0x40
[   11.625312]  kasan_save_free_info+0x3f/0x60
[   11.625509]  __kasan_slab_free+0x56/0x70
[   11.625712]  kfree+0x222/0x3f0
[   11.625828]  ksize_uaf+0x12c/0x6c0
[   11.625954]  kunit_try_run_case+0x1a5/0x480
[   11.626097]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.626750]  kthread+0x337/0x6f0
[   11.626946]  ret_from_fork+0x116/0x1d0
[   11.627136]  ret_from_fork_asm+0x1a/0x30
[   11.627573] 
[   11.627709] The buggy address belongs to the object at ffff8881026a8b00
[   11.627709]  which belongs to the cache kmalloc-128 of size 128
[   11.628136] The buggy address is located 0 bytes inside of
[   11.628136]  freed 128-byte region [ffff8881026a8b00, ffff8881026a8b80)
[   11.628553] 
[   11.628669] The buggy address belongs to the physical page:
[   11.628944] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026a8
[   11.629389] flags: 0x200000000000000(node=0|zone=2)
[   11.629719] page_type: f5(slab)
[   11.629917] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   11.630180] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   11.630456] page dumped because: kasan: bad access detected
[   11.630746] 
[   11.630858] Memory state around the buggy address:
[   11.631288]  ffff8881026a8a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.631871]  ffff8881026a8a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.632147] >ffff8881026a8b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.632545]                    ^
[   11.632807]  ffff8881026a8b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.633107]  ffff8881026a8c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.633444] ==================================================================
[   11.588474] ==================================================================
[   11.589179] BUG: KASAN: slab-use-after-free in ksize_uaf+0x19d/0x6c0
[   11.589607] Read of size 1 at addr ffff8881026a8b00 by task kunit_try_catch/213
[   11.590045] 
[   11.590198] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc6-next-20250513 #1 PREEMPT(voluntary) 
[   11.590247] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.590259] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.590278] Call Trace:
[   11.590290]  <TASK>
[   11.590306]  dump_stack_lvl+0x73/0xb0
[   11.590347]  print_report+0xd1/0x650
[   11.590369]  ? __virt_addr_valid+0x1db/0x2d0
[   11.590394]  ? ksize_uaf+0x19d/0x6c0
[   11.590425]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.590448]  ? ksize_uaf+0x19d/0x6c0
[   11.590477]  kasan_report+0x141/0x180
[   11.590499]  ? ksize_uaf+0x19d/0x6c0
[   11.590523]  ? ksize_uaf+0x19d/0x6c0
[   11.590547]  __kasan_check_byte+0x3d/0x50
[   11.590569]  ksize+0x20/0x60
[   11.590590]  ksize_uaf+0x19d/0x6c0
[   11.590611]  ? __pfx_ksize_uaf+0x10/0x10
[   11.590642]  ? __schedule+0x10cc/0x2b60
[   11.590664]  ? __pfx_read_tsc+0x10/0x10
[   11.590685]  ? ktime_get_ts64+0x86/0x230
[   11.590719]  kunit_try_run_case+0x1a5/0x480
[   11.590744]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.590765]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.590798]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.590820]  ? __kthread_parkme+0x82/0x180
[   11.590840]  ? preempt_count_sub+0x50/0x80
[   11.590865]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.590888]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.590910]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.590942]  kthread+0x337/0x6f0
[   11.590961]  ? trace_preempt_on+0x20/0xc0
[   11.590985]  ? __pfx_kthread+0x10/0x10
[   11.591016]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.591037]  ? calculate_sigpending+0x7b/0xa0
[   11.591061]  ? __pfx_kthread+0x10/0x10
[   11.591082]  ret_from_fork+0x116/0x1d0
[   11.591100]  ? __pfx_kthread+0x10/0x10
[   11.591120]  ret_from_fork_asm+0x1a/0x30
[   11.591152]  </TASK>
[   11.591163] 
[   11.599273] Allocated by task 213:
[   11.599404]  kasan_save_stack+0x45/0x70
[   11.599548]  kasan_save_track+0x18/0x40
[   11.599812]  kasan_save_alloc_info+0x3b/0x50
[   11.600030]  __kasan_kmalloc+0xb7/0xc0
[   11.600242]  __kmalloc_cache_noprof+0x189/0x420
[   11.600439]  ksize_uaf+0xaa/0x6c0
[   11.600562]  kunit_try_run_case+0x1a5/0x480
[   11.600719]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.601267]  kthread+0x337/0x6f0
[   11.601464]  ret_from_fork+0x116/0x1d0
[   11.601864]  ret_from_fork_asm+0x1a/0x30
[   11.602057] 
[   11.602154] Freed by task 213:
[   11.602390]  kasan_save_stack+0x45/0x70
[   11.602671]  kasan_save_track+0x18/0x40
[   11.602884]  kasan_save_free_info+0x3f/0x60
[   11.603074]  __kasan_slab_free+0x56/0x70
[   11.603275]  kfree+0x222/0x3f0
[   11.603430]  ksize_uaf+0x12c/0x6c0
[   11.603840]  kunit_try_run_case+0x1a5/0x480
[   11.604174]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.604429]  kthread+0x337/0x6f0
[   11.604706]  ret_from_fork+0x116/0x1d0
[   11.604894]  ret_from_fork_asm+0x1a/0x30
[   11.605076] 
[   11.605148] The buggy address belongs to the object at ffff8881026a8b00
[   11.605148]  which belongs to the cache kmalloc-128 of size 128
[   11.605491] The buggy address is located 0 bytes inside of
[   11.605491]  freed 128-byte region [ffff8881026a8b00, ffff8881026a8b80)
[   11.606011] 
[   11.606130] The buggy address belongs to the physical page:
[   11.606474] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026a8
[   11.606812] flags: 0x200000000000000(node=0|zone=2)
[   11.606976] page_type: f5(slab)
[   11.607098] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   11.607670] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   11.608043] page dumped because: kasan: bad access detected
[   11.608433] 
[   11.609509] Memory state around the buggy address:
[   11.609750]  ffff8881026a8a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.609964]  ffff8881026a8a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.610175] >ffff8881026a8b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.610400]                    ^
[   11.610570]  ffff8881026a8b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.610897]  ffff8881026a8c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.611248] ==================================================================
[   11.634021] ==================================================================
[   11.634386] BUG: KASAN: slab-use-after-free in ksize_uaf+0x5e4/0x6c0
[   11.634772] Read of size 1 at addr ffff8881026a8b78 by task kunit_try_catch/213
[   11.635035] 
[   11.635122] CPU: 1 UID: 0 PID: 213 Comm: kunit_try_catch Tainted: G    B            N  6.15.0-rc6-next-20250513 #1 PREEMPT(voluntary) 
[   11.635167] Tainted: [B]=BAD_PAGE, [N]=TEST
[   11.635179] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   11.635199] Call Trace:
[   11.635224]  <TASK>
[   11.635239]  dump_stack_lvl+0x73/0xb0
[   11.635266]  print_report+0xd1/0x650
[   11.635299]  ? __virt_addr_valid+0x1db/0x2d0
[   11.635321]  ? ksize_uaf+0x5e4/0x6c0
[   11.635341]  ? kasan_complete_mode_report_info+0x64/0x200
[   11.635363]  ? ksize_uaf+0x5e4/0x6c0
[   11.635385]  kasan_report+0x141/0x180
[   11.635407]  ? ksize_uaf+0x5e4/0x6c0
[   11.635433]  __asan_report_load1_noabort+0x18/0x20
[   11.635453]  ksize_uaf+0x5e4/0x6c0
[   11.635474]  ? __pfx_ksize_uaf+0x10/0x10
[   11.635496]  ? __schedule+0x10cc/0x2b60
[   11.635518]  ? __pfx_read_tsc+0x10/0x10
[   11.635589]  ? ktime_get_ts64+0x86/0x230
[   11.635627]  kunit_try_run_case+0x1a5/0x480
[   11.635653]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.635684]  ? _raw_spin_lock_irqsave+0xa1/0x100
[   11.635708]  ? _raw_spin_unlock_irqrestore+0x5f/0x90
[   11.635729]  ? __kthread_parkme+0x82/0x180
[   11.635760]  ? preempt_count_sub+0x50/0x80
[   11.635784]  ? __pfx_kunit_try_run_case+0x10/0x10
[   11.635807]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.635829]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[   11.635853]  kthread+0x337/0x6f0
[   11.635872]  ? trace_preempt_on+0x20/0xc0
[   11.635895]  ? __pfx_kthread+0x10/0x10
[   11.635916]  ? _raw_spin_unlock_irq+0x47/0x80
[   11.635936]  ? calculate_sigpending+0x7b/0xa0
[   11.635960]  ? __pfx_kthread+0x10/0x10
[   11.635981]  ret_from_fork+0x116/0x1d0
[   11.635999]  ? __pfx_kthread+0x10/0x10
[   11.636020]  ret_from_fork_asm+0x1a/0x30
[   11.636052]  </TASK>
[   11.636062] 
[   11.643820] Allocated by task 213:
[   11.644002]  kasan_save_stack+0x45/0x70
[   11.644378]  kasan_save_track+0x18/0x40
[   11.644674]  kasan_save_alloc_info+0x3b/0x50
[   11.644897]  __kasan_kmalloc+0xb7/0xc0
[   11.645082]  __kmalloc_cache_noprof+0x189/0x420
[   11.645386]  ksize_uaf+0xaa/0x6c0
[   11.645638]  kunit_try_run_case+0x1a5/0x480
[   11.645834]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.646074]  kthread+0x337/0x6f0
[   11.646195]  ret_from_fork+0x116/0x1d0
[   11.646395]  ret_from_fork_asm+0x1a/0x30
[   11.646604] 
[   11.646708] Freed by task 213:
[   11.646904]  kasan_save_stack+0x45/0x70
[   11.647085]  kasan_save_track+0x18/0x40
[   11.647220]  kasan_save_free_info+0x3f/0x60
[   11.647361]  __kasan_slab_free+0x56/0x70
[   11.647498]  kfree+0x222/0x3f0
[   11.647622]  ksize_uaf+0x12c/0x6c0
[   11.647798]  kunit_try_run_case+0x1a5/0x480
[   11.648067]  kunit_generic_run_threadfn_adapter+0x85/0xf0
[   11.648505]  kthread+0x337/0x6f0
[   11.648936]  ret_from_fork+0x116/0x1d0
[   11.649139]  ret_from_fork_asm+0x1a/0x30
[   11.649316] 
[   11.649389] The buggy address belongs to the object at ffff8881026a8b00
[   11.649389]  which belongs to the cache kmalloc-128 of size 128
[   11.650048] The buggy address is located 120 bytes inside of
[   11.650048]  freed 128-byte region [ffff8881026a8b00, ffff8881026a8b80)
[   11.650839] 
[   11.650971] The buggy address belongs to the physical page:
[   11.651233] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1026a8
[   11.651554] flags: 0x200000000000000(node=0|zone=2)
[   11.651732] page_type: f5(slab)
[   11.651989] raw: 0200000000000000 ffff888100041a00 dead000000000122 0000000000000000
[   11.652425] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   11.652841] page dumped because: kasan: bad access detected
[   11.653048] 
[   11.653144] Memory state around the buggy address:
[   11.653727]  ffff8881026a8a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.654041]  ffff8881026a8a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.654390] >ffff8881026a8b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   11.654795]                                                                 ^
[   11.655090]  ffff8881026a8b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.655405]  ffff8881026a8c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   11.655677] ==================================================================